Skip to content

Commit 68c00a6

Browse files
thibaudmichaudmibrunin
thibaudmichaud
authored and
mibrunin
committed
[Backport] Security bug 384565015
Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/6098197: [wasm][arm][tail-call] Free scratch register earlier In Liftoff's PrepareTailCall, we kept the UseScratchRegisterScope open for longer than necessary. Close the scope earlier to ensure that we don't run out of scratch registers in the last "sub" instruction if it needs one. [email protected] Fixed: 384565015 Change-Id: Ib36c515f5aca7d0c5899564d474cb3be6e0d9f85 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6098197 Reviewed-by: Clemens Backes <[email protected]> Commit-Queue: Thibaud Michaud <[email protected]> Cr-Commit-Position: refs/heads/main@{#97846} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615717 Reviewed-by: Anu Aliyas <[email protected]>
1 parent 3415cb4 commit 68c00a6

File tree

1 file changed

+17
-15
lines changed

1 file changed

+17
-15
lines changed

chromium/v8/src/wasm/baseline/arm/liftoff-assembler-arm.h

Lines changed: 17 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -493,21 +493,23 @@ void LiftoffAssembler::CallFrameSetupStub(int declared_function_index) {
493493

494494
void LiftoffAssembler::PrepareTailCall(int num_callee_stack_params,
495495
int stack_param_delta) {
496-
UseScratchRegisterScope temps(this);
497-
Register scratch = temps.Acquire();
498-
499-
// Push the return address and frame pointer to complete the stack frame.
500-
sub(sp, sp, Operand(8));
501-
ldr(scratch, MemOperand(fp, 4));
502-
str(scratch, MemOperand(sp, 4));
503-
ldr(scratch, MemOperand(fp, 0));
504-
str(scratch, MemOperand(sp, 0));
505-
506-
// Shift the whole frame upwards.
507-
int slot_count = num_callee_stack_params + 2;
508-
for (int i = slot_count - 1; i >= 0; --i) {
509-
ldr(scratch, MemOperand(sp, i * 4));
510-
str(scratch, MemOperand(fp, (i - stack_param_delta) * 4));
496+
{
497+
UseScratchRegisterScope temps(this);
498+
Register scratch = temps.Acquire();
499+
500+
// Push the return address and frame pointer to complete the stack frame.
501+
sub(sp, sp, Operand(8));
502+
ldr(scratch, MemOperand(fp, 4));
503+
str(scratch, MemOperand(sp, 4));
504+
ldr(scratch, MemOperand(fp, 0));
505+
str(scratch, MemOperand(sp, 0));
506+
507+
// Shift the whole frame upwards.
508+
int slot_count = num_callee_stack_params + 2;
509+
for (int i = slot_count - 1; i >= 0; --i) {
510+
ldr(scratch, MemOperand(sp, i * 4));
511+
str(scratch, MemOperand(fp, (i - stack_param_delta) * 4));
512+
}
511513
}
512514

513515
// Set the new stack and frame pointer.

0 commit comments

Comments
 (0)